Pull up the following revisions, requested by martin in ticket #337:
src/usr.sbin/sysinst/configmenu.c 1.25
src/usr.sbin/sysinst/install.c 1.26
src/usr.sbin/sysinst/net.c 1.47
src/usr.sbin/sysinst/upgrade.c 1.22
We have SSL trust anchors in base, so make use of them when downloading
additional items after basic installation is done (even if the installer
used does not come with its own certs, so we can not verify trust
for set download).
Pull up the following revisions, requested by martin in ticket #336:
src/usr.sbin/sysinst/msg.mi.de 1.59
src/usr.sbin/sysinst/msg.mi.en 1.60
src/usr.sbin/sysinst/msg.mi.es 1.50
src/usr.sbin/sysinst/msg.mi.fr 1.53
src/usr.sbin/sysinst/msg.mi.pl 1.56
src/usr.sbin/sysinst/util.c 1.84
Include "tests" and "manhtml" in the optional sets.
Pull up the following revisions, requested by martin in ticket #335:
src/usr.sbin/sysinst/Makefile.inc 1.54
src/usr.sbin/sysinst/configmenu.c 1.24
src/usr.sbin/sysinst/defs.h 1.96
src/usr.sbin/sysinst/main.c 1.37
src/usr.sbin/sysinst/menus.mi 1.31
src/usr.sbin/sysinst/net.c 1.46
When compiled with SMALLPROG (i.e. as part of a crunched ramdisk
userland) ftp(1) does not support https - so remove that option from
sysinst and only offer http in that case.
Should fix PR 60359.
py-ruff: update to 0.15.20.
Preview features
Allow human-readable names in rule selectors (#25887)
Emit a warning instead of an error for unknown rule selectors (#26113)
Match noqa shebang handling in ruff:ignore comments (#26286)
[ruff] Remove pytest-fixture-autouse (RUF076) (#26240, #26371)
Documentation
Add versioning sections to custom crate READMEs (#26317)
Update ruff_python_parser README for crates.io (#26315)
[perflint] Clarify that PERF402 applies to any iterable (#26242)
py-hpack: updated to 4.2.0
4.2.0 (2026-06-22)
**API Changes (Backward Incompatible)**
- Support for Python 3.9 has been removed.
- Support for PyPy 3.9 has been removed.
**API Changes (Backward Compatible)**
- Support for Python 3.14 has been added.
**Bugfixes**
- Headers marked as `sensitive` will no longer log their value at DEBUG level. Instead a placeholder value of `SENSITIVE_REDACTED` is logged.
- Fixed perfect match missed for headers with empty values.
- Restricted variable integer decoding to uint32 to prevent run-away computation. With thanks to `Hiroki Nishino`_.
PR bin/59635 - src/usr.bin/mail: fix post realloc() cleanup
This is a rather hackish solution, much better would be to abandon the
pointers altogether, and simply use message offsets (ints) into the array
to provide the relationships between messages.
Or abandon the message array (and the need for realloc() along with it)
and replace it with a list.
Both methods would achieve the aim of getting rid of the need to go and
massage the data to keep things correct when a realloc moves things around.
Either would require more changes in more places that this crude change,
and to get this done before -11 gets released, the few changes the better.
Another possibility would be to just revert to the adjustment method used
in -10 (which looks like it should work to me - but I don't know why it
was changed).
[4 lines not shown]
p5-List-SomeUtils-XS: update to 0.59.
0.59 2026-06-22
- Fix a heap buffer overflow in the pairwise function when it would return a very large list. Fixed
by Paul Johnson.
expat: update to 2.8.2.
Release 2.8.2 Thu June 25 2026
Security fixes:
#1246 CVE-2026-50219 -- Disallow calls to functions
`XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
`XML_ParserFree`, `XML_ParserReset` to guard e.g.
Expat bindings from memory corruption;
this CPython issue is related:
https://github.com/python/cpython/issues/146169
#1267 CVE-2026-56131 -- Protect XML_ResumeParser from being called
from a handler, plugging a hole in the fix
to CVE-2026-50219
#1272 CVE-2026-56132 -- Fix out-of-bound scaffolding index store
in `doProlog`
#1229 #1232 CVE-2026-56403 -- Integer overflow in `storeAtts`
#1249 CVE-2026-56404 -- Integer overflow in `addBinding`
#1251 CVE-2026-56405 -- Integer overflow in `getAttributeId`
#1255 CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
[70 lines not shown]